1. The Field of the Invention
The present invention relates to secure communications. More particularly, the present invention relates to the use of certificates for encryption of communications.
2. Background and Related Art
Computing and networking technology has transformed the way we work and play. Networks have become so prolific that a simple network-enabled computing system may communicate with any one of millions of other computing systems spread throughout the globe over a conglomeration of networks often referred to as the “Internet”. Such computing systems may include desktop, laptop, or tablet personal computers; Personal Digital Assistants (PDAs); telephones; or any other computer or device capable of communicating over a digital network.
In order to communicate over a network, one computing system (referred to herein as a “source computing system” or “source client”) constructs or otherwise accesses an electronic message and transmits the electronic message over a network to another computing system (referred to herein as a “destination computing system” or “destination client”). The electronic message may be read by a human user as when the electronic message is an e-mail or instant message, or may be read, instead, by an application running on the receiving computing system. The electronic message may be constructed by an application running on the sending computing system with the possible assistance of a human user.
Although such electronic messaging advantageously allows for computing systems to exchange information and thereby serve their associated users in ways not before known, the electronic messages are subject to interception. Depending on the sensitivity of the content of the electronic message, this could be quite harmful, and even catastrophic in some cases. In order to guard against interception, the electronic messages are often encrypted such that only those having a certain binary sequence (called a “key”) may decrypt the electronic message to thereby access the information represented in the electronic message. Efforts are exerted such that hopefully only the receiving computing system has access to the key needed to decrypt the electronic message. Accordingly, any intervening interceptor would only have access to the encrypted form of the electronic message absent extraordinarily extreme efforts.
In symmetric encryption, the same key that is used to encrypt an electronic message may be used to decrypt the electronic message. In asymmetric encryption, a “public key” and a “private key” are associated with a particular computing system. The public key is made known to a wide variety of computing systems while the private key is not disseminated. The private key may be used to decrypt any messages that are encrypted using the public key. The private key is more sensitive than the public key since the receiving computing system should be the only computing system able to decrypt electronic messages intended for that computing system.
In order to facilitate encryption, the sending computing system often accesses an electronic certificate associated with the receiving computing system. FIG. 8 illustrates a data structure of a certificate 800 in accordance with the prior art. The certificate 800 includes validation information 803. The validation information 803 allows a sending computing system to validate that the certificate does indeed correspond to the receiving computing system and that the certificate has not been revoked. An X.509 certificate is one type of certificate that is now in widespread use. The validation information of an X.509 certificate may include, for example, a URL that may be accessed to verify whether or not the certificate does corresponding to the destination computing system. The validation information of an X.509 certificate may also include a certificate revocation list to indicate whether or not the certificate has been revoked.
The certificate 800 also includes certificate identifying information 802 that allows the sending computing system to identify the certificate. For example, an X.509 certificate might include, for example, a key identifier or perhaps the combination of an issuer identifier and a serial number.
The certificate 800 also includes encryption information 801 (e.g., a public key in an X.509 certificate). The encryption information allows the sending computing system to encrypt the electronic message in a manner that may be decrypted by the destination computing system corresponding to the certificate. For example, when the sending computing system encrypts an electronic message using a public key corresponding to the destination computing system, the destination computing system will ideally be the only computing system having the corresponding private key needed to decrypt the electronic message.
There are significant cases when the certificate is used at the point of encryption. For example, conventionally when encrypting e-mail that uses S/MIME, the certificate for the receiving computing system is used at the sending computing system itself in order to aid the sending computing system in performing encryption. MIME (Multipurpose Internet Mail Extensions is a specification for formatting non-ASCII messages so that they can be sent over the Internet. Many e-mail clients now support MIME, which enables them to send and receive graphics, audio, and video files via the Internet mail system. MIME was defined in 1992 by the Internet Engineering Task Force (IETF). S/MIME is a standard that defines a way to encrypt and encode contents of e-mail messages that are conformant to the MIME standard. S/MIME is based on the public-key encryption technology described above. It is expected that S/MIME will be widely implemented, which will make it possible for people to send secure e-mail message to one another, even if they are using different e-mail applications.
There are some potential impediments to widespread adoption and utilization of the certificate-based encryption technology such as that defined by S/MIME, particularly on limited-memory mobile devices. Currently, in order to encrypt a message in certificate-based encryption, the entire certificate is accessed. An X.509 certificate may often be well over 1 kilobyte in size for each certificate. A certificate is conventionally used for each potential recipient of the message. Some messages may have numerous recipients, thereby increasing the amount of memory needed to store the certificates. This could significantly slow performance when working on a mobile device which typically has relatively restricted memory and processor capability.
Furthermore, the sending computing system often acquires the certificates from another computing system over a high latency and/or low bandwidth connection (e.g., a dial-up or wireless connection. In particular, certificates are often stored in centralized repositories or directories for access by e-mail users. The size of a certificate greatly impacts e-mail users who are connected to these repositories over slow network connections. Thus, what would be advantageous is a certificate-based encryption technology that reduces memory, processor, and bandwidth requirements.